[ Friday, March 11, 2005 ]
Privacy Problems at Kaiser:
According to this article
in the San Jose Mercury News (free, easy registration required), "Kaiser posted patient information on an unsecured technical Web site" and a disgruntled employee notified Kaiser about it. Kaiser took the information down, but it had been out there for a year or so. In addition to filing a complaint against her employer to the OCR, the employee also copied the information and reposted it to her blog. Now that Kaiser has found out that she posted the information on her blog, they're notifying the 140 or so folks whose information was posted.
The article indicates that the blogger could be subject to HIPAA penalties for the disclosure. One of my fellow HIPAAcrats on the AHLA HIT list noted that the article is wrong in this regard, since Kaiser will be the one subject to the penalties. Rightly or wrongly, in light of the Gibson case, I disagree. The blogger would certainly be subject to a HIPAA enforcement action if the Department of Justice were so inclined to take that route. Kaiser would also be subject to an enforcement action for the original posting on the techincal Web site, but their defense would be one of inadvertence. It would be hard for the blogger to make that cliam for her intentional posting.UPDATE (3/16):
Someone has pointed out to me that the Kaiser case highlights the dangers of ex-employees. Note that the Diva did her dirty deeds after departing her duties at Kaiser. This is a cautionary tale: make sure your ex-employees don't take PHI and don't have access to PHI. Good exit interviewing, and perhaps attaching strings to severance payments (careful, there) should be designed to at least force the departing employee to let you know if they think something is rotten in Denmark. In the exit interview, ask them if they have any PHI, know of any ways to access PHI, or know of any other vulnerabilities in your privacy or security. Require them, as a condition to receiving a severance package, to return all PHI in their possession and disclose to the company any areas they know of where PHI could be accessed by outside agents, not to disclose PHI, and to notify the company first before filing any complaints. You can't make them agree not to make required reports to governmental entities, but you can make them show their cards. Then, if they later try to be a whistleblower or otherwise cause problems, you can at least show that you took reasonable steps to discover the vulnerabilities before the PHI was hacked.
Something to think about, that's for sure.
Jeff [11:16 AM]
Blogger: HIPAA Blog - Edit your Template